Linux Mailing List

[Bucheli Konrad <konrad.bucheli AT psi.ch>]

Dear Linux Admins

This change rolled out this morning by Puppet.

With it also a new script was introduced to be able to fix the case where 
group membership changes of a user in the AD should be reflected on the 
system immediately. This tool is called "refresh_user" where a non-root user 
can refresh the user information in sssd for himself:

    refresh_user

or for someone else

    refresh_user muster_t

Note that a reboot does not clean the sssd cache. Then also be aware that the 
kernel does not update the group membership of a user in already running 
sessions, independent of this change. Here some tricks to work around this:
https://www.cyberciti.biz/faq/linux-refresh-reload-group-membership-without-logging-reboot/

Kind regards
Konrad

________________________________________
Von: Bucheli Konrad
Gesendet: Mittwoch, 9. Juli 2025 11:17
An: linux-announce AT lists.psi.ch
Betreff: improved account/group information caching with sssd

Dear Linux Admins

On our RHEL installations the sssd service is responsible for
authentication and AD integration. Unfortunately sssd turned out to be
rather inefficient when dealing with big AD setups. So just looking up
the account information of a user with many groups can lead to > 40MB
network traffic and may need more than one minute. This already led to
problems on some systems. Currently that information is only cached for
5 minutes, so most of the time a lookup will be slow.

To improve the situation we plan to change the default configuration.
The idea is to keep the information in the cache longer (> 12 hours) and
refresh them automatically every 12 hours. So the user information
lookup may be slow only on the very first time and after sssd can always
provide user information from cache.

The downside is that changes in group membership in the AD will only be
visible on your Linux machine the next day.

We have already implemented this behavior in the "preprod" Puppet
environment. Without strong objections that change will reach production
and thus all nodes next Tuesday 16 July.

If you need different behavior please check out our documentation where
the possible configuration options are listed:

https://linux.psi.ch/admin-guide/configuration/basic/ad_integration.html#caching-ad-information

Beside we are also in contact with RedHat and hope to be able to
convince them to improve sssd in this regard.

Feel free to contact linux-eng AT psi.ch if you have questions or remarks.

Kind regards

Konrad



--
Paul Scherrer Institut
Konrad Bucheli
Linux Systems Engineer
Core Linux Research Services
Science IT Infrastructure and Services department (AWI)
OBBA/230
Forschungstrasse 111
5232 Villigen PSI
Switzerland

Phone: +41 56 310 27 24
konrad.bucheli AT psi.ch
www.psi.ch